vb.org Archive
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 2.x Full Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=4)
-   -   [release vb2] Database Password Encryption (https://vborg.vbsupport.ru/showthread.php?t=18868)

dabean 05-31-2001 10:00 PM
Updated 15th July 2001
Simplish hack that allows end users to chose if they want to store encrypted versions of their password.

Full details of how this is implemented are contained in the file.
Requirements:
vBulletin 2.0.0
This has not been tested on rc1/2/3 beta1-5. It might work or it might not.

From the june 3rd update onwards a installation script is included, full details in the instructions.

kicks 06-01-2001 03:03 AM
I'll have to check this out, but it sounds very interesting :)

MrLister 06-01-2001 12:20 PM
this is auctually really good. it would be a lot better if vBulletin came with this. I hate people that just use phpMyAdmin and look at your passwords.

rebby 06-01-2001 01:47 PM
sweet!!! :D

Freddie Bingham 06-01-2001 01:49 PM
We will consider switching to encrypted passwords in the future.

rebby 06-01-2001 01:57 PM
Quote:
Originally posted by freddie
We will consider switching to encrypted passwords in the future.
please do... plain text passwords is one of the only things that i don't like about vb.

MrLister 06-01-2001 03:25 PM
plain text passwords is the only reason why i have to memorize so many different passwords for each vB i sign up with.

kicks 06-01-2001 04:56 PM
Quote:
Originally posted by mrlister
plain text passwords is the only reason why i have to memorize so many different passwords for each vB i sign up with.
heh, you too? :)

kdog316 06-03-2001 03:14 AM
dabean can you explain exactly to me how i do this part

ALTER TABLE user ADD encryptedpass SMALLINT DEFAULT '0' not null
CREATE TABLE passgen (requesthash char(32) NOT NULL, userid int(10) unsigned DEFAULT '0' NOT NULL, requestedtime int(10) unsigned DEFAULT '0' NOT NULL)

:confused:

tubedogg 06-03-2001 03:24 AM
Just a suggestion - stick your instructions and this file into a zip and put it up instead of just your text file. It's MySQL made easy. :D

Rename this file to dbencrypt.php, stick it in your admin directory and go to it in a browser - login like you would to your Admin CP and then it'll do the queries and link you to your Admin CP.

kdog316 06-03-2001 03:48 AM
does the dbencrypt.php do all the table altering and replacing of the other php files for me

dabean 06-03-2001 01:04 PM
Updated: (15:05 BST)

Improvements:
- Database update script, delete it after using it. Thanks tubedogg but i'd already writen my own to go with this improved version.
- Encypted passwords option at registration

Bug fixes:
- Members can no longer follow a password regeneration link more than once.

kdog316 06-04-2001 03:00 AM
i ran the encyption file but i dont see any make password encrypted field on registering

dabean 06-04-2001 03:11 AM
As the text file "password_encryption.txt" contained in the zip states all the installer does it make the database changes for you. You still have to modify the code and templates by following the instructions in the file.

kdog316 06-04-2001 09:36 PM
ok something wrong is going on here when ever i edit my member.php file the way you say i get this error when i try to access my change password, edit options or any thing else that has to do with the user profile and this is the error

Fatal error: Call to undefined function: getuserinfo() in /home/photo/public_html/tmbps/member.php on line 101

and here is line 101 on member.php


PHP Code:
    $bbuserinfo=getuserinfo($userid); 

dabean 06-04-2001 10:04 PM
hmm, you've obviously made a mistake in altering the code.

the following lines should exist starting at line 47.

PHP Code:
if ($action=="login") {
  include("./global.php");
  if (isset($username)) { 
if these lines do exist then have another look at precise structure of the alterations you made.

If you'd made any changes to global.php or admin\functions.php as part of any other hacks you have added you may also want to double check them.

kdog316 06-04-2001 10:17 PM
there at line 42 right after

// ############################### start login ###############################

here is what the code looks like for that section tell me if anything needs to be switched


PHP Code:
if ($action=="login") {
  include("./global.php");
  if (isset($username)) {
    // get userid for given username
    if ($user=$DB_site->query_first("SELECT userid,username,password,cookieuser,encryptedpass FROM user WHERE username='".addslashes(htmlspecialchars($username))."'")) {
      // secure passwords
      if ($user[encryptedpass]==1) {
        if ($user[password]!=md5($password)) {  // check secure password
          eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
          exit;
        }
      } else {
        if ($user[password]!=$password) {  // check standard password
          eval("standarderror(\"".gettemplate("error_wrongpassword")."\");");
          exit;
        }
      }
      $userid=$user[userid];
    } else { // invalid username entered
       eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
       exit;
    } // end secure passwords
      $userid=$user[userid];
    } else { // invalid username entered
       eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
       exit;
    }

    if ($user['cookieuser']==1) {
      vbsetcookie("bbuserid",$user['userid']);
      vbsetcookie("bbpassword",md5($user['password']));
    }

    $DB_site->query("DELETE FROM session WHERE sessionhash='".addslashes($session[dbsessionhash])."'");

    $session['sessionhash']=md5(uniqid(microtime()));
    $session['dbsessionhash']=$session['sessionhash'];
    $DB_site->query("INSERT INTO session (sessionhash,userid,host,useragent,lastactivity,styleid) VALUES ('".addslashes($session['sessionhash'])."','$userid','".addslashes($session['host'])."','".addslashes($session['useragent'])."','".time()."','$session[styleid]')");
    vbsetcookie("sessionhash",$session['sessionhash'],0);
    $username $user['username'];
  }

  $url=ereg_replace("sessionhash=[a-z0-9]{32}&","",$url);
  $url=ereg_replace("\\?sessionhash=[a-z0-9]{32}","",$url);
  $url=ereg_replace("s=[a-z0-9]{32}&","",$url);
  $url=ereg_replace("\\?s=[a-z0-9]{32}","",$url);

  if ($url!="" and $url!="index.php" and $url!=$HTTP_REFERER) {

    if (strpos($url,"?")>0) {
      $url.="&s=$session[dbsessionhash]";
    } else {
      $url.="?s=$session[dbsessionhash]";
    }
    //header("Location: $url");

    $url str_replace("\""""$url);
    eval("standardredirect(\"".gettemplate("redirect_login")."\",\"$url\");");
  } else {
    $bbuserinfo=getuserinfo($userid);
    eval("standardredirect(\"".gettemplate("redirect_login")."\",\"index.php?s=$session[dbsessionhash]\");");


dabean 06-04-2001 10:30 PM
hmm you've repeated the same block of code twice.

PHP Code:
    // end secure passwords
      $userid=$user[userid];
    } else { // invalid username entered
       eval("standarderror(\"".gettemplate("error_wrongusername")."\");");
       exit;
    } 
should be changed to
PHP Code:
 // end secure passwords 

kdog316 06-04-2001 10:47 PM
now i am getting this erorr
Parse error: parse error in /home/photo/public_html/tmbps/member.php on line 1370

and here are lines 1366-1370

PHP Code:
eval("standarderror(\"".gettemplate("error_invalidsecureid")."\");");
  }
}

? > 
withput the space between the ? and the > of course

dabean 06-04-2001 11:13 PM
okay take a look at
PHP Code:
// ############################### start secure email password ###############################
if ($action=="securepw") { 
check that ?> doesn't appear above it.

kdog316 06-04-2001 11:22 PM
it wasnt even there let me see what happens when i add it

kdog316 06-04-2001 11:26 PM
i put it in but it still comes up with the erorr and with the line number of with ? > in it also this ? > is not above the security e-mail

dabean 06-04-2001 11:47 PM
hmm not sure exactly where you have gone wrong then.

rebby 06-05-2001 04:42 PM
in your instructions you have:
Quote:
replace
$users=$DB_site->query("SELECT username,email,password FROM user

with
$users=$DB_site->query("SELECT username,email,password,encryptedpass,userid
with this the email password feature fails.

this change will fix it:
Quote:
replace
$users=$DB_site->query("SELECT username,email,password

with
$users=$DB_site->query("SELECT username,email,password,encryptedpass,userid

rebby 06-05-2001 05:43 PM
this works great with the exception of in the user cp... the Secure password storage is not selected to yes or no by default and even if you select yes, it does nothing to the db... :confused:

it is encrypting passwords for new users taht select to have encrypted passwords from the start though (they can't unencrypted them like you noted though).

dabean 06-05-2001 06:16 PM
Find
PHP Code:
if ($action=="editoptions") {
  $templatesused "modifyoptions_maxposts,modifyoptions_styleset,modifyoptions_stylecell,usercpnav,modifyoptions";
  include("./global.php");
  // do modify profile form

  if ($bbuserinfo[userid]==or $permissions['canmodifyprofile']==0) {
    show_nopermission();
  } 
now after that block add
PHP Code:
  // secure passwords
  if ($bbuserinfo[encryptedpass]) {
    $securepasswordchecked="checked";
    $securepasswordnotchecked="";
  } else {
    $securepasswordchecked="";
    $securepasswordnotchecked="checked";
  }
  // end secure passwords 
find
PHP Code:
  if ($bbuserinfo[userid]==or $permissions['canmodifyprofile']==0) {
    show_nopermission();
  }

  $adminemail=iif($allowmail=="yes",1,0); 
change to

PHP Code:
  if ($bbuserinfo[userid]==or $permissions['canmodifyprofile']==0) {
    show_nopermission();
  }
  // secure passwords
  $cryptpassword=iif($securepassword=="yes",1,0);
  // end secure passwords
  $adminemail=iif($allowmail=="yes",1,0); 
now find
PHP Code:
  //delete cookies if cookie user is off
  if ($cookieuser==0) {
    vbsetcookie("bbuserid","");
    vbsetcookie("bbpassword","");
  } 
and after it add
PHP Code:
  // secure passwords
  if ($bbuserinfo[encryptedpass]==1) {
    // md5 hash password & store todo
    $cryptpassword=1;
  } else {
    // 
    if ($cryptpassword==1) {
      $DB_site->query("UPDATE user SET password='".addslashes(md5($bbuserinfo[password]))."' WHERE userid='$bbuserinfo[userid]'");
      // set new hashed cookie
      vbsetcookie("bbpassword",md5(md5($bbuserinfo[password])));
    }
  }
  // end secure passwords 
find
PHP Code:
  $DB_site->query("UPDATE user
                   SET ".$updatestyles."adminemail='$adminemail',
                      showemail='$showemail',invisible='$invisible',cookieuser='$cookieuser',
                      maxposts='".addslashes($umaxposts)."',daysprune='".addslashes($prunedays)."',
                      timezoneoffset='".addslashes($timezoneoffset)."',emailnotification='$emailnotification',
                      startofweek='".addslashes($startofweek)."',options='$options',receivepm='$receivepm',
                      emailonpm='$emailonpm',pmpopup='$pmpopup',usergroupid='$bbuserinfo[usergroupid]',
                      nosessionhash='$nosessionhash'
                   WHERE userid='$bbuserinfo[userid]'"); 
and change the line to
PHP Code:
  $DB_site->query("UPDATE user
                   SET ".$updatestyles."adminemail='$adminemail',
                      showemail='$showemail',invisible='$invisible',cookieuser='$cookieuser',
                      maxposts='".addslashes($umaxposts)."',daysprune='".addslashes($prunedays)."',
                      timezoneoffset='".addslashes($timezoneoffset)."',emailnotification='$emailnotification',
                      startofweek='".addslashes($startofweek)."',options='$options',receivepm='$receivepm',
                      emailonpm='$emailonpm',pmpopup='$pmpopup',usergroupid='$bbuserinfo[usergroupid]',
                      nosessionhash='$nosessionhash', encryptedpass='$cryptpassword'
                   WHERE userid='$bbuserinfo[userid]'"); 
now after
PHP Code:
  if ($newpassword!=$newpasswordconfirm) {
    eval("standarderror(\"".gettemplate("error_passwordmismatch")."\");");
    exit;
  } 
add
PHP Code:
 // secure passwords
  if ($bbuserinfo[encryptedpass]==1) {
    $newpassword=md5($newpassword);
  }
  // end secure passwords 
Alternativly download the updated zip file that now contains these additions that i forgot to paste into the orginal file.

rebby 06-05-2001 06:20 PM
what file is that for??? member.php???

dabean 06-05-2001 06:21 PM
member.php

rebby 06-05-2001 06:23 PM
Quote:
Originally posted by dabean
member.php
thanx... i'll give that a go and let you know.. :)

rebby 06-05-2001 06:34 PM
it now encrypts the password (like it should) however the bullet in the user cp does not reflect this...

rebby 06-05-2001 06:35 PM
Quote:
Originally posted by rebby
it now encrypts the password (like it should) however the bullet in the user cp does not reflect this...
never mind... i missed a block... :D sorry...

chrispadfield 06-10-2001 10:13 PM
Quote:
Originally posted by mrlister
plain text passwords is the only reason why i have to memorize so many different passwords for each vB i sign up with.
I know what you mean however even if the passwords are set as standard to be encrypted (and i am sure it will be an option anyway) you can't trust the person operating the VB as they could easily hack it not to use encrypted passwords. Any password you use should really be unique or there is a chance someone could use it.

Lord Satan 06-15-2001 08:09 AM
Am I to understand that anyone can see anyone's password without the encryption?

What other security holes are there in vBB?

chrispadfield 06-15-2001 08:14 AM
Quote:
Originally posted by Lord Satan
Am I to understand that anyone can see anyone's password without the encryption?

What other security holes are there in vBB?
clearly you don't understand. Only the admin can see anyone's (who has registered at their site's) password. Why would you expect any different. If you pass information to a site you have to expect them to be able to look at it if they want to.

and it is VB not vBB :)

rebby 06-15-2001 11:58 AM
Quote:
Originally posted by chrispadfield





clearly you don't understand. Only the admin can see anyone's (who has registered at their site's) password. Why would you expect any different. If you pass information to a site you have to expect them to be able to look at it if they want to.



and it is VB not vBB :)
actually that is not true. anybody w/access to the sql server can. if the server is comprimised... well, i won't point out the obvious....

atrl 06-21-2001 02:35 PM
Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in /home/atrl/public_html/forums/member.php on line 139 is the error i get what do i do?

dabean 06-21-2001 04:32 PM
from the php manual "parse error, expecting `T_STRING' or `T_VARIABLE' ..." Generally that type of error is caused by the echo function, how ever as my code fragment doesn't use this particular function it is probibaly some other hack or modification you've made.

http://www.php.net/manual/en/function.echo.php Read the User Contributed Notes.

jmcneese 06-28-2001 09:21 AM
this is indeed very cool, and i have set it up on my site. one caveat, though.

should a user ever decide to go back to a non-encrypted password, this is not provided for. there of course is the option to select 'no' in the user template, but this has no effect on the stored password in the database. i may just be ignorant, but i don't know of a way to un-MD5 a password hash.

any ideas? otherwise i'll just change the template and remove the 'no' option for encrypted passwords, stating that it's an irreversable option.

thewitt 06-28-2001 11:23 AM
Though I have not looked at this particular hack, MD5 is a hashed-asymetric encryption that is not reversable.

You cannot take the MD5 hash and turn it back into the plain text password.

-t

rebby 06-28-2001 11:56 AM
Quote:
Originally posted by thewitt
Though I have not looked at this particular hack, MD5 is a hashed-asymetric encryption that is not reversable.

You cannot take the MD5 hash and turn it back into the plain text password.

-t
true... the only way to do this would be to prompt for the password, store it in a temporary variable, verify that it is correct, and then change the db if it is... you will have to use the temp var though cause like thewitt said you can't revert an md5 hash...


All times are GMT. The time now is 07:48 PM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01464 seconds
  • Memory Usage 1,912KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (17)bbcode_php_printable
  • (10)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (40)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete